DB2 Version 9.7 for Linux, UNIX, and Windows

REVOKE (server privileges) statement

This form of the REVOKE statement revokes the privilege to access and use a specified data source in pass-through mode.

Invocation

This statement can be embedded in an application program or issued through the use of dynamic SQL statements. It is an executable statement that can be dynamically prepared only if DYNAMICRULES run behavior is in effect for the package (SQLSTATE 42509).

Authorization

The privileges held by the authorization ID of the statement must include ACCESSCTRL or SECADM authority.

Syntax


>>-REVOKE PASSTHRU ON SERVER--server-name--FROM----------------->

   .-,---------------------------------.               
   V                                   |  .-BY ALL-.   
>----+-+-------+--authorization-name-+-+--+--------+-----------><
     | +-USER--+                     |                 
     | +-GROUP-+                     |                 
     | '-ROLE--'                     |                 
     '-PUBLIC------------------------'

Description

SERVER server-name

Names the data source for which the privilege to use in pass-through mode is being revoked. server-name must identify a data source that is described in the catalog.

FROM

Specifies from whom the privilege is revoked.

USER: Specifies that the authorization-name identifies a user.
GROUP: Specifies that the authorization-name identifies a group name.
ROLE: Specifies that the authorization-name identifies a role name.
authorization-name,...: Lists the authorization IDs of one or more users, groups, or roles.
The list of authorization IDs cannot include the authorization ID of the user issuing the statement (SQLSTATE 42502).
PUBLIC: Revokes from PUBLIC the privilege to pass through to server-name.

BY ALL

Revokes the privilege from all named users who were explicitly granted that privilege, regardless of who granted it. This is the default behavior.

Rules

For each authorization-name specified, if neither USER, GROUP, nor ROLE is specified, then:
- For all rows for the specified object in the SYSCAT.PASSTHRUAUTH catalog view where the grantee is authorization-name:
  - If all rows have a GRANTEETYPE of 'U', USER is assumed.
  - If all rows have a GRANTEETYPE of 'G', GROUP is assumed.
  - If all rows have a GRANTEETYPE of 'R', ROLE is assumed.
  - If all rows do not have the same value for GRANTEETYPE, an error is returned (SQLSTATE 56092).

Examples

Example 1: Revoke USER6's privilege to pass through to data source MOUNTAIN.

   REVOKE PASSTHRU ON SERVER MOUNTAIN FROM USER USER6

Example 2: Revoke group D024's privilege to pass through to data source EASTWING.

   REVOKE PASSTHRU ON SERVER EASTWING FROM GROUP D024

The members of group D024 will no longer be able to use their group ID to pass through to EASTWING. But if any members have the privilege to pass through to EASTWING under their own user IDs, they will retain this privilege.